[ Security Alert ] 31 August, 2010 11:34


    AegisLab, security research group of Lionic Corp., constantly monitor the malicious web pages, such as drive-by-download, spam, and scare-ware. We collected the downloaded malware into our repository, and not surprisingly, the number of malware collected from web page is increased dramatically.

    The following figure is generated according our statistics from beginning of this year to this August. 


    Lionic WebGuard solution always includes all the malicious URLs into our list at the first moment to help user far away from attack and infection.

By AegisLab

[ General ] 26 August, 2010 13:51

    SyScan'10 Taipei (official site here: http://syscan.org/Tpe/index.php ) just finished in end of last week, AegisLab also have some professionals attended this conference. Some topics are quite interesting and we highlight here.


[ Security Alert ] 23 August, 2010 13:41

**Update 2010-08-27**

   Yahoo.js has new vulerable sites and download executable is changed. Till now, Google SafeBrowsing didn't include the download site yet.

   The new vulerable sites:



     Detection rate of the latest new "s.exe " in VT: 17 /42 (40.5%)

     Lionic WebGuard can stop this download path from 2010-8-26.


[ Security Alert ] 18 August, 2010 18:28

1. Affection Version


Adobe ColdFusion 9.0.1 and earlier versions


2. Description


  1. Adobe ColdFusion is a web server which can execute CFML (ColdFusion Markup Language). The CFML is a script language like as JSTL ( JSP Standard Tag Lib).


  1. There is a vulnerability found in Adobe ColdFusion that doesn't handle the URL correctly. The malicious user would send the specific URL request to the server and the file content would show in the web pages automatically. This vulnerability is labeled as CVE-2010-2861. (More)

[ Security Alert ] 16 August, 2010 14:26
    AegisLab constantly monitor the "yahoo.js" malicious script mentioned in previous security alerts. Today we discover that the downloaded executable is changed and detection rate is lowered.


[ Sample Analysis ] 13 August, 2010 15:03

    The recently news about first Android virus, links: http://pocketnow.com/android/first-android-virus , Kaspersky Vireus News http://www.kaspersky.com/news?id=207576152, Lookout http://blog.mylookout.com/2010/08/security-alert-first-android-sms-trojan-found-in-the-wild/#comments.

    Thanks for contagio, offers the sample.

    After both disassembling and runtime analysis, one malicious behavior is observed. It sends SMS messages to '3353' or '3354' with text '798657' once launched for the first time. After that it remains silent. This may cost money if 3353 or 3354 is available in that country.

    There are already some static analysis available on Internet, like here http://www.alienvault.com/blog/jaime/Malware/Analysis_of_Trojan-SMS.AndroidOS.FakePlayer.a.html, we do a bit differently. If we slightly modify its behavior, change destination number from 3353 to 5556(emulator number)
and assemble back to apk. We can simulate the user who receives the SMS, see below:

1 2  Next»